Radius搭建
RADIUS(Remote Authentication Dial In User Service,远程用户拨号认证服务)服务器提供了三种基本的功能:认证(Authentication)、授权(Authorization)和审计(Accounting),即提供了3A功能。其中审计也称为“记账”或“计费”。 RADIUS协议采用了客户机/服务器(C/S)工作模式。网络接入服务器(Network Access Server,NAS)是RADIUS的客户端,它负责将用户的验证信息传递给指定的RADIUS服务器,然后处理返回的响应。搭建Radius服务器的方法:用户接入NAS,NAS向RADIUS服务器使用Access-Require数据包提交用户信息,包括用户名、密码等相关信息,其中用户密码是经过MD5加密的,双方使用共享密钥,这个密钥不经过网络传播;RADIUS服务器对用户名和密码的合法性进行检验,必要时可以提出一个Challenge,要求进一步对用户认证,也可以对NAS进行类似的认证;如果合法,给NAS返回Access-Accept数据包,允许用户进行下一步工作,否则返回Access-Reject数据包,拒绝用户访问;如果允许访问。
一、安装Radius
freeradius官方网站下载http://freeradius.org/download.html
注:
最好先安装好下面的东西!!!
遇到的问题:
configure: WARNING: talloc library not found. Use --with-talloc-lib-dir=<path>.
configure: error: FreeRADIUS requires libtalloc
解决:
yum install libtalloc-devel -y
Debugger not attached
Refusing to start with libssl version OpenSSL 1.0.1e-fips 11 Feb 2013 0x1000105f (1.0.1e release) (in range 1.0.1 dev - 1.0.1f release)
Security advisory CVE-2014-0160 (Heartbleed)
For more information see http://heartbleed.com
Once you have verified libssl has been correctly patched, set security.allow_vulnerable_openssl = 'CVE-2014-0160'
解决:
vim /usr/local/etc/raddb/radiusd.conf
allow_vulnerable_openssl = yes #改为yes
Could not link driver rlm_sql_mysql: /usr/local/lib/rlm_sql_mysql.so: cannot open shared object file: No such file or directory
Make sure it (and all its dependent libraries!) are in the search path of your system's ld
/usr/local/etc/raddb/mods-enabled/sql[20]: Instantiation failed for module "sql"
解决:
yum -y install mysql-devel
然后重新编译freeradius即可。
————————————————
原文链接:https://blog.csdn.net/Name_kongkong/article/details/53010377
1.解压:
tar -zxvf freeradius-server-3.0.26.tar.gz
2.编译:
cd freeradius-server-3.0.26
./configure (#./configure --with-mysql-dir=/usr/share/mysql/ --with-mysql-lib-dir=/usr/lib/mysql/)
make
make install
# 默认安装在 /usr/local/etc/raddb下
3.启动radius
# debug模式启动
radiusd -X
# 后台进程方式启动
systemctl start radiusd
systemctl enable radiusd
# 日志
/var/log/radius/radius.log
注:
端口被占用了,查看是谁占用了1812端口 输入命令:ss -ulnp
干掉:pkill radiusd 再重新启动就可以了。
5.添加用户并进行测试
按照官方文档的测试方法,在文件 /usr/local/etc/raddb/users 的末尾添加:
testing Cleartext-Password := "password123"
其中: testing 是用户名, password123 是明文格式的密码.
接下来用radtest来测试服务器:
radtest testing password123 127.0.0.1 0 testing123
正常情况下返回
收到 Access-Accept 即表示测试成功!
二、创建数据库并授权
1.安装mariadb
yum install -y mariadb-server mariadb
2.启动
systemctl start mariadb
systemctl enable mariadb
3.运行安全设置
mysql_secure_installation
4.进入数据库
[root@localhost ~]# mysql -uroot -p
Enter password:
5.创建数据库并授权
MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on radius.* to radius@'localhost' identified by 'radius';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
三、配置radius和数据库
1.导入数据库
cd /usr/local/etc/raddb/mods-config/sql/main/mysql
mysql -u radius -p radius< schema.sql
2配置radius
cd /usr/local/etc/raddb/sites-enabled
sql的配置
vim default
将authorize {}下的sql去掉注释,并且将file注释掉。
将accounting{}下的sql去掉注释,并且将file注释掉。
cd /usr/local/etc/raddb/mods-available
vim sql
修改driver=“rlm_sql_null”
设置以下项,其余项保持默认
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "radius"
radius_db = "radius"
read_clients = yes
给sql做个软连接
在目录 /usr/local/etc/raddb/mods-enabled
给 /usr/local/etc/raddb/mods-available/sql做个软连接
cd /usr/local/etc/raddb/mods-enabled
ln -s /usr/local/etc/raddb/mods-available/sql ./
3.将/etc/raddb/mods-enabled/sql所属组更改为radiusd
chgrp -h radiusd /etc/raddb/mods-enabled/sql
4.添加客户端连接设置,添加允许所有用户接入,如需特定ip访问,ip可以自由更改。
[root@localhost ~]# vim /etc/raddb/clients.conf
client all_client {
ipaddr = 0.0.0.0/0
secret = testing123
require_message_authenticator = no
}
5.建立组信息和用户
insert into radgroupreply (groupname,attribute,op,value) values ('user','Auth-Type',':=','Local');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Service-Type',':=','Framed-User');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Address',':=','255.255.255.255');
insert into radgroupreply (groupname,attribute,op,value) values ('user','Framed-IP-Netmask',':=','255.255.255.0');
查看
6.建立用户信息:(在此新建用户名为test,密码为testpwd)
insert into radcheck (username,attribute,op,value) values ('test','Cleartext-Password',':=','testpwd');
查看
将用户加入组中
insert into radusergroup (username,groupname) values ('test','user');
7.重启radius测试
systemctl restart radiusd
测试·
radtest test testpwd localhost 1812 testing123
Centos配置ssh通过radius接入认证
1.安装依赖
sudo yum -y install make gcc pam pam-devel
2.下载pam_radius源码安装包
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
tar -xzvf pam_radius-1.4.0.tar.gz
cd pam_radius-1.4.0
sudo ./configure
sudo make
3.将库复制到正确的位置
cp pam_radius_auth.so /lib/security/
#或64bit:
cp pam_radius_auth.so /lib64/security/
4.创建配置目录并复制名为’server’的配置文件:
sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server
5.编辑 /etc/raddb/server 并将您的 radius 服务器 IP 和共享密钥添加到此文件。
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
6.接下来,我们需要告诉 login 使用 radius。编辑文件 /etc/pam.d/login
auth required pam_radius_auth.so
7.vim /etc/pam.d/sshd 把这两行添加进去:
auth sufficient pam_radius_auth.so
auth include system-auth
8.添加用户
sudo useradd -m USERNAME
在 Ubuntu 上配置 sudo 以进行双因素身份验证
接下来是 Ubuntu 14.04 服务器。首先,安装 pam-radius:
sudo apt-get install libpam-radius-auth
通过编辑 /etc/pam_radius_auth.conf 使用 NPS 服务器配置它。所以它和上面一样:
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
编辑 /etc/pam.d/sudo 文件并在 comm-auth 行上方添加 auth sufficient pam_radius_auth.so 行:
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session-noninteractive
sudo 使用 radius。
编辑文件 /etc/pam.d/sudo 并将 \auth include system-auth\ 替换为:
auth required pam_radius_auth.so